On the decoding of binary cyclic codes with the Newton's identities

HAL Id: inria-00509219

https://hal.inria.fr/inria-00509219

Submitted on 10 Aug 2010

HAL is a multi-disciplinary open access archive for the deposit and dissemination of sci- entific research documents, whether they are pub- lished or not. The documents may come from

L’archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d’enseignement et de

On the decoding of binary cyclic codes with the Newton’s identities

Daniel Augot, Magali Bardet, Jean-Charles Faugère

To cite this version:

Daniel Augot, Magali Bardet, Jean-Charles Faugère. On the decoding of binary cyclic codes with the Newton’s identities. Journal of Symbolic Computation, Elsevier, 2009, Gröbner Bases in Cryptogra- phy, Coding Theory, and Algebraic Combinatorics, 44 (12), pp.1608-1625. �10.1016/j.jsc.2008.02.006�.

�inria-00509219�

On the decoding of binary cyclic codes with the Newton’s identities

Daniel Augot

INRIA-Rocquencourt

Magali Bardet

Laboratoire LITIS Universit´e de Rouen

Jean-Charles Faug`ere

INRIA Rocquencourt, Salsa project

Universit´e Pierre et Marie Curie-Paris 6 ´Equipe SPIRAL CNRS-UMR 7606, LIP6

Abstract

We revisit in this paper the concept of decoding binary cyclic codes with Gr¨obner bases. These ideas were first introduced by Cooper, then Chen, Reed, Helleseth and Truong, and eventually by Orsini and Sala. We discuss here another way of putting the decoding problem into equations: the Newton’s identities. Although these identities have been extensively used for decoding, the work was done man- ually, to provide formulas for the coefficients of the locator polynomial. This was achieved by Reed, Chen, Truong and others in a long series of papers, for decoding quadratic residue codes, on a case-by-case basis. It is tempting to automate these computations, using elimination theory and Gr¨obner bases.

Thus, we study in this paper the properties of the system defined by the Newton’s identities, for decoding binary cyclic codes. This is done in two steps, first we prove some facts about the variety associated to this system, then we prove that the ideal itself contains relevant equations for decoding, which lead to formulas.

Then we consider the so-called online Gr¨obner bases decoding, where the work of computing a Gr¨obner basis is done for each received word. It is much more efficient for practical purposes than preprocessing and substituting into the formulas. Finally, we conclude with some computational results, for codes of interesting length (about one hundred).

Key words: Cyclic codes, quadratic residue codes, elimination theory, Gr¨obner bases,F4 algorithm.

1 Introduction

1.1 Introduction and Previous work

A motivation for this work is to find decoding algorithms for the quadratic residue codes, which are a very special and interesting family of cyclic codes.

We consider only binary codes. For each prime numberl, such that 2 is a square modulol, there exists essentially one quadratic residue code of lengthl. These codes have a not so bad minimum distance, from the square-root bound, and in practice they perform even better, from compiled tables by Macwilliams and Sloane (1983); Grassl (2000). But there is no general decoding algorithm of the quadratic residue codes, and several efforts have been made in order to decode them. Let us cite the works of Chen, Chang, Reed, Helleseth, Truong etc: Reed et al. (1990a,b, 1992); Chen et al. (1994c); Lu et al. (1995); He et al.

(2001); Chang et al. (2003); Truong et al. (2005), for the lengths 31, 23, 41, 73, 47, 71, 79, 97, 103 and 113. We note that for each prime l, the authors had to design a new decoding algorithm, almost from scratch each time.

These algorithms are based on the same principle: given the received word e, the set of its syndromesis computed, and the error locator polynomial has to be determined. For this, the authors write down a system of equations, whose indeterminates are 1) the syndromes, 2) the coefficients of the error locator polynomial, 3) the so-called unknown syndromes. This system is based on the Newton’s identities. Once that this system was written, the above authors try to eliminate the unknown syndromes, and to express the coefficients of the locator polynomial as polynomials or rational functions in terms of the syndromes. Then, to decode, one only needs to substitute the actual value of the syndromes into the formulas, to get the locator polynomial. Finding the expression of the locator polynomial is tedious and error prone, as the length of the codes grows.

It makes sense to use tools from computer algebra to automate these steps.

This can actually be done for any cyclic code, although Cooper III (1990, Email addresses: Daniel.Augot@inria.fr(Daniel Augot),

magali.bardet@univ-rouen.fr(Magali Bardet),

Jean-Charles.Faugere@lip6.fr(Jean-Charles Faug`ere).

URLs: www-rocq.inria.fr/~augot (Daniel Augot),

www-calfor.lip6.fr/~bardet/(Magali Bardet), fgbrs.lip6.fr/jcf/

(Jean-Charles Faug`ere).

1991b,a) considered it only for BCH codes. The system of equations introduced by Cooper III is different from the system of the Newton’s identities, and can also be used for any cyclic code, see Chen et al. (1994b). The properties of these systems have been proven by Loustaunau and York (1997) and Caboara and Mora (2002), for any cyclic code. In Orsini and Sala (2005), this system is called CRHT (or more precisely, the variety associated to it is called the CRHT variety), and it is further refined in order to get what the authors call general error locator polynomials, which is computed offline, and then used for decoding online. Several examples are given in Orsini and Sala (2005), and exhaustive computations for all 2-error correcting cyclic codes of length less than 63 have been done by Orsini and Sala (2007).

1.2 Our contributions

We consider another system of equations than the CRHT one and its deriva- tive. We consider the system based on the Newton’s identities, as was already done by Chen et al. (1994a) (see also de Boer and Pellikaan (1999a,b)). We have already discussed the use of Gr¨obner bases for decoding cyclic codes in Augot et al. (2003), but for another system, and also, for doing onlineGr¨o- bner bases computation. In the present paper, we prove that the system of the Newton’s identities can be used forofflineGr¨obner bases computation, (called One Step Decoding in de Boer and Pellikaan (1999a,b)), to find formulas for the coefficients of the locator polynomial, which are of the form:

σi = qi

pi

.

It is not clear how these formulas relate to the general error locator polynomi- als of Orsini and Sala (2005). But we think that the approach of precomputing formulas for the decoding is rather inefficient for two reasons: the computa- tion of these formulas is rather intractable, and even when the formulas are obtained, they are to huge to be practical.

Our second contribution is to show that it is much better to perform online Gr¨obner bases computations: for each received word, one writes down the system of the Newton’s identities with the known syndromes of the errors, the unknown syndromes, and the locators. We show in this paper that the elimination of the unknown syndromes by a computation of a Gr¨obner basis leads directly to the value of the coefficients of the locator polynomial. This is in practice much faster.

Thanks to fast algorithms for computing Gr¨obner bases Faug`ere J.C. (1999);

Faug`ere J.C. (2002) and fast implementation (FGb or Magma for instance), we get a reasonable number of operations for decoding cyclic codes, even for

codes of length one hundred or more. We will also show how the speed of the decoding can be improved using code generation techniques.

1.3 Outline of the paper

The paper is organized as follows. In Section 2, we recall the properties of Gr¨obner bases (elimination and specialization) that we need in the sequel.

In Section 3, we recall the definition of cyclic codes, and some important properties of the Fourier Transform. In Section 4, we determine the variety associated to the Newton’s identities. Section 5 is devoted to One Step De- coding (i.e. finding formulas for decoding), while Section 6 deals with online computation of Gr¨obner bases. Section 7 explains how to use a single Gr¨obner basis computation on one set of syndromes to derive the other computations on the other sets of syndromes, using code generation techniques. Section 8 presents some Figures and Tables.

2 Background on Gr¨obner bases

2.1 Definition

We consider F[X1, . . . , Xn], where F is a field and X1, . . . , Xn are indetermi- nates. A monomial ordering <over the set of monomialsX₁ⁱ¹· · ·X_nⁱⁿ is a total ordering, compatible with multiplication by a monomial, which is also a well ordering (see (Cox et al., 1992, Chapter2, Definition 1)). Given a polynomial f ∈ K[X₁, . . . , Xn], the leading monomial, leading term, and leading coeffi- cient of f are then defined (Cox et al. (1992)). The classical definition of a Gr¨obner basis is the following.

Definition 1 A Gr¨obner basis of an ideal I ⊂F[X1, . . . , Xn] is a set of poly- nomials G = {g₁, . . . , gr} ⊂ I such that the leading monomials of the gi’s generate by monomial-wise multiplication all the leading monomials of the polynomials in I.

We postpone the discussion on the algorithms to compute Gr¨obner bases to Section 6.

2.2 Gr¨obner bases and elimination

Definition 2 (Eisenbud (1995) p.357) An elimination ordering with respect to two blocks of variables[X1, . . . , Xi]>[Xi+1, . . . , Xn]is a monomial ordering such that any monomial involving one of the X₁, . . . , Xi is greater than any monomial involving only monomials from {Xi+1, . . . , Xn}.

For instance, the lexicographical (Lex) ordering on [X1, . . . , Xn] is an elimi- nation ordering for the blocks [X1, . . . , Xi] and [Xi+1, . . . , Xn] for any i. The following two properties will be useful:

Theorem 1 (Elimination Theorem, Cox et al. (1992)) LetGbe a Gr¨o- bner basis of an ideal I ⊂ F[X1, . . . , Xn] for an elimination ordering with respect to two blocks [X1, . . . , Xi]>[Xi+1, . . . , Xn]. Then, the set

Gi =G∩F[Xi+1, . . . , Xn]

is a Gr¨obner basis of the i-th elimination ideal Ii =I∩F[Xi+1, . . . , Xn].

Given an ideal I ⊂ F[X1, . . . , Xn], we denote by V(I) the variety associated toI, which is the set of solutions of I in the algebraic closure Fof F, i.e.

V(I) =ⁿx∈Fⁿ |p(x) = 0, ∀p∈I^o.

Definition 3 An ideal I is zero-dimensional if V(I) is finite, and is of pos- itive dimension otherwise.

We have that if Πi denote the projection on the n−i last coordinates, i.e.

Πi(x1, . . . , xn) = (xi+1, . . . , xn) then Πi(V(I)) =V(Ii).

2.3 Specialization

We have the following Theorem about the properties of specialization. Let f ∈ F[Y, X], with X = (X1, . . . , Xn). We denote by LT(I) the set of the leading terms of polynomials of an ideal I, and LTY(f) the leading term off, seen as a polynomial in F_q[Y][X]. We will distinguish a given indeterminate Xi from an actual value given to it, that we shall denote with an asterisk X_i^∗ ∈F.

Theorem 2 (Gianni (1989); Kalkbrener (1989)) Let I ⊂ F[Y, X] be a zero-dimensional ideal, X^∗ ∈Fⁿ be given, andϕX^∗ the specialization of all the

variables but one

ϕX^∗ : F[Y, X] → F[Y] f(Y, X) 7→ f(Y, X^∗)

(1)

Then there exists a polynomial g ∈ I such that ϕX^∗(I) = hϕX^∗(g)i and deg_Y g = deg_Y ϕX^∗(g).

Given an idealI ⊂F[X1, . . . , Xn],S ={Xi1. . . , Xi_l}a subset of{X1, . . . , Xn}, and S^∗ ={X_i^∗1. . . , X_i^∗_l} ∈F^l, we use the notationp(S 7→S^∗) for the substitu- tion of the Xij by the X_i^∗_j in the polynomial p, and the notation I(S 7→ S^∗) for the same operation on the ideal I.

3 Background on cyclic codes

3.1 Definition

We consider only binary codes. Let the reader be warned that our new results do not hold over any field, but only for this particular case. Let n be an odd integer, a cyclic codeCof lengthnis an ideal of the algebraF₂[X]/(Xⁿ−1). We shall identify a word c= (c0, . . . , cn−1)∈Fⁿ

2 with the polynomial c(X) =c0+ . . . c_n−1Xⁿ⁻¹. The codeC is generated as an ideal by itsgenerating polynomial g(X), which divides Xⁿ−1. Let α be a primitive n-th root of unity, in some extension F₂m of F₂, a cyclic code C can be given by its defining set Qwhich is

Q=ⁿi∈ {0, . . . , n−1}, g(αⁱ) = 0^o.

We note N ={0, . . . , n−1} \Q(think of Q as the (Q)uadratic residues, and N the (N)on residues, or (N)on syndromes). We note k,d, and t=⌊^d−1₂ ⌋ the dimension, the minimum distance of C, and the error correction radius of C.

For any word in Fⁿ

2, we define its Fourier Transform, also known as the Mattson-Solomon polynomial. Note that we introduce the definition over the algebraic closure, because we will introduce algebraic systems whose solutions may lie in arbitrary extensions of F₂.

Definition 4 Let F₂ denote the algebraic closure of F₂. The Fourier trans- form of the word c = ^Pn−1_r=0 crx^r ∈ F₂[x]/(xⁿ−1) is the polynomial S(Z) =

Pn−1

i=0 S_i^∗Zⁿ⁻ⁱ⁻¹∈F₂[Z], where S_i^∗ =c(αⁱ) for all i∈ {0, . . . , n−1}.

Let y = (y0, . . . , yn−1) ∈ Fⁿ

2 the word to be decoded, and c the transmitted codeword. We write y = c+e, where e ∈ Fⁿ

2 is the error. Let (A^∗₀, . . . , A^∗_n−1) be the Fourier Transform of the known word y then, concerning the Fourier Transform (S₀^∗, . . . , S_n−1^∗ ) of e, we have that S_i^∗ = A^∗_i, for i ∈ Q. The Si,

i ∈ Q, are the syndromes of the error, while the Si, i 6∈ Q are the unknown syndromes.

Given τ ∈ N, the syndrome decoding principle is, given the syndromes Si of the received word, to find the erroreof weight w≤τ such that its syndromes are theSi, i∈Q. In the case when τ =t=⌊^d−1₂ ⌋, we have a unique solution.

We shall consider this case, but also the case when τ > t, in which case we may not have a unique solution to the decoding problem.

The Fourier transform satisfies the following Theorem, sometimes known as Blahut’s Theorem. Since we state the Theorem in the unusual context of the algebraic closure of F₂, we give the proof to convince the reader.

Theorem 3 Let S^∗(Z) = ^Pn−1_i=0 S_i^∗Zⁿ⁻ⁱ⁻¹ be the Fourier transform of some word c ∈ Fⁿ

2. Then the weight of c is equal to rank of the following circulant matrix CS^∗:

CS^∗ =





















S₀^∗ S₁^∗ . . . S_n−2^∗ S_n−1^∗ S₁^∗ S₂^∗ . . . S_n−1^∗ S₀^∗

... ...

S_n−1^∗ S₀^∗ . . . S_n−3^∗ Sn−2





















. (2)

Proof Letc= (c0, . . . , cn−1). For i∈ {0, . . . , n−1}, we have that (all indices are to be considered modulon)





















S_i^∗ S_i+1^∗

...

S_i+n−1^∗





















=F





















c0

αⁱc1

...

α⁽ⁿ⁻¹⁾ⁱcn−1





















,with F =





















1 1 . . . 1

1 α¹ . . . αⁿ⁻¹ ... ... ... ...

1 αⁿ⁻¹ . . . α^{(n−1)(n−1)}





















.

Then





















S₀^∗ S₁^∗ . . . S_n−2^∗ S_n−1^∗ S₁^∗ S₂^∗ . . . S_n−1^∗ S₀^∗

...

S_n−1^∗ S₀^∗ . . . S_n−3^∗ S_n−2^∗





















=F





















c₀ c₀ . . . c₀

c1 αc1 . . . αⁿ⁻¹c1

... ... . .. ...

cn−1 αⁿ⁻¹cn−1 . . . α^{(n−1)(n−1)}cn−1





















=F





















c₀ 0 . . . 0 c1 0 . . .

... . ..

0 . . . 0 cn−1





















F.

Now the rank of the inner diagonal matrix is equal to the weight of c, and F is an invertible Vandermonde matrix. 2

3.2 The locator polynomial

Let the error e be of weight w, and let u1, . . . , uw the indices of the non zero coordinates of e. These indices are encoded in the locator polynomial σ(Z), defined as follows:

σ(Z) =

w

Y

i=1

(1−α^uiZ) =

w

X

i=0

σiZⁱ,

where σ1, . . . , σw are the elementary symmetric functions of α^u1, . . . , α^uw, which are in turn denoted Z1. . . , Zw, and are called the locators ofe. Finding e is equivalent to finding σ(Z), and the problem is considered to be solved when σ(Z) is found, thanks to the Chien search (Chien (1964)), which is an efficient method for finding thei’s such that σ(α⁻ⁱ) = 0.

3.3 The Newton’s identities

The Newton identities relate the elementary symmetric functions of the lo- cators of e to the coefficients of the Fourier Transform of e. They have the following form (see Macwilliams and Sloane (1983)):















Si+

i−1

X

j=1

σjSi−j +iσi = 0, i≤w, Si+

w

X

j=1

σjSi−j = 0, w < i≤n+w.

(3)

Note that the indices of the Si are cyclic, i.e. Si+n = Si. In these equations, we are looking for the σi’s, we know the Si, i ∈ Q, and we try to eliminate the Si’s,i6∈Q.

3.4 Matricial forms of the Newton’s identities

We split the Newton’s identities into two part: the circulant part and the quasi-triangular part. The triangular part is the following

IT,w ={Si+

i−1

X

j=1

σjSi−j +iσi i∈ {1, . . . , w}}. (4) and the circulant part is the following

IC,n,w =







S_w+imodn+

w

X

j=1

σjS_w+i−jmodn, i∈ {1, . . . , n}







; (5)

We introduce the following circulant matrix:

CS =





















S0 S1 . . . Sn−2 Sn−1

S₁ S₂ . . . S_n−1 S₀

... ...

S_n−1 S₀ . . . S_n−3 S_n−2





















. (6)

Then IC,n,w can be written as

CS[σw, σw−1, . . . σ₁,1,0, . . . ,0]^t = 0. (7) The system IC,n,w can also be written in a polynomial manner as follows:

S(Z)σw(Z) = 0 modZⁿ−1, (8)

with S(Z) =^Pn_i=1SiZⁿ⁻ⁱ and σw(Z) = 1 +^Pw_i=1σiZⁱ.

3.5 Waring formulas

Using the triangular part and the circulant part of the Newton’s identities, we can write successively the Si’s in terms of the σi’s. Thus there exists a polynomial Ww,i such that

Si =Ww,i(σ1, . . . , σw) modIT,w+IC,n,w, i∈ {0, . . . , n−1}. (9)

These expressions are known as the Waring formulas. An explicit expression for Ww,i is even known and can be found in Lidl and Niederreiter (1996).

3.6 Algebraic Systems

We consider the ideal IN,n,v generated by the Newton identities:

IN,n,v :

*Si+^Pi−1_j=1σjSi−j+iσi, 1≤i≤v Si+^Pv_j=1σjSi−j, n+v ≥i > v Si+n+Si, i∈ {1, . . . , v}.

+

. (10)

In the above, we indicate that we use cyclic indices for the Si by adding the relations Si+n +Si. Let us note by σ the set of the variables {σ1, . . . , σv}, by SQ the set {Si;i ∈ {1, . . . , n+v}, imodn ∈ Q}, and SN the set {Si, i ∈ {1, . . . , n+v}}\SQ. ThenIN,n,v is an ideal in the polynomial ringF₂[σ, SQ, SN].

Recall that to show the difference between the indeterminates and the actual values in F₂, we will append an asterisk to indeterminates when speaking of values: for instance S₁^∗ is an actual value in F₂ (the first syndrome of a given error) given to the indeterminate S1, which is used in equations.

We know that, if we are givenS_Q^∗,S_N^∗ , and theσ_i^∗, they will satisfy the system of equations defined by the ideal IN,n,w. We first deal with the converse: what are the solutions of the system of equations defined by the IN,n,v? Then, we will also show that IN,n,v contains polynomials relevant for decoding.

Definition 5 Let A = F_q[Z1, . . . , Zv, σ1, . . . , σv, S1, . . . , Sn, . . . Sn+v], let us define the following ideals. The ideal of the elementary symmetric functions:

Iσ,v=

*

σi− ^X

1≤j1<···<ji≤v

Zj1. . . Zji;i∈ {1, . . . , v}

+

; (11)

and the ideal of the cyclic power sum symmetric functions:

IS,n,v =

*Si−^Pv_j=1Z_jⁱ, i∈ {1, . . . , n+v};

Si+n−Si, i∈ {1, . . . , v}

+

. (12)

Proposition 1 The idealIN,n,v is the elimination ideal of theZi’s in the ideal IS,n,v+Iσ,v:

(IS,n,v+Iσ,v)∩F_q[S, σ] =IN,n,v.

Let us first recall the following Theorem of Machi-Valibouze Valibouze (1995).

Theorem 4 Let f(Z) =Z^v+^Pv_i=1σiZ^v−i ∈F₂[σ][Z]. Let the fi polynomials, i∈ {1, . . . , v}, be iteratively constructed as follows (Cauchy Modules):

f1(Z1) =f(Z1), (13)

fi+1(Z1, . . . , Zi+1) =fi(Z1, . . . , Zi−1, Zi)−fi(Z1, . . . , Zi−1, Zi+1)

Zi−Z_i+1 . (14)

Then, for every i ∈ {1, . . . , v}, fi ∈ F_q[σ][Z1, . . . , Zi]. Furthermore, with the lexicographical ordering Zv > Zv−1 > · · · > Z1 > σv > · · · > σ1, fi has a leading term equal to Zi, and Gσ,v ={f1, . . . , fv} is a Gr¨obner basis of Iσ,v. Proof of Proposition 1 Since n and v are fixed, let us write IN = IN,n,v, Iσ = Iσ,v, and IS = IS,n,v. We can infer the Newton’s identities (triangular and circular) from the definition of the elementary and power-sum symmetric functions. We thus have:

IN ⊂(IS+Iσ)∩F_q[σ1, . . . , σv, S1, . . . , Sn, . . . , Sn+v]. (15) To prove the reverse inclusion, we proceed in two steps: first we prove that IS+Iσ =IN +Iσ, then that

(IN +Iσ)∩F_q[σ1, . . . , σv, S1, . . . , Sn+v] =IN. (16) The Waring formulas are obtained from the Newton’s identities, thus:

Si−Wv,i(σ1, . . . , σv) = 0 modIN, i∈ {1, . . . , n+v}. (17) We note (as a short hand notation) si, i∈ {1, . . . , v}, for the polynomial

si = ^X

1≤j1<···<ji≤v

Zj1. . . Zji, then σi−si ∈Iσ, and Si−Wv,i(s1, . . . , sv)∈IN +Iσ.

Last, let us write (also as a short hand notation) pi, i ∈ {1, . . . , n + v}, for the polynomial ^Pv_j=1Z_jⁱ, then, from the Waring formulas, we have that pi =Wv,i(s1, . . . , sv), which implies

Si−pi ∈IN +Iσ, i∈ {1, . . . , n+v},

i.e. IS ⊂IN +Iσ. Thus IS+Iσ ⊂IN +Iσ and the equality IS +Iσ =IN +Iσ

follows.

We now prove (16). Let GN be a Gr¨obner basis ofIN, for any ordering, and let Gσ be the Gr¨obner basis of Iσ described in Theorem 4. Then GN ∪Gσ

is a Gr¨obner basis of IN +Iσ. Indeed, from Theorem 4, Gσ does not contain any polynomial whose leading term contains one of theσi’s. Then, the leading

terms of the polynomials in GN and of the polynomials in Gσ are relatively prime, a fact which implies that GN ∪Gσ is Gr¨obner basis. The elimination properties of Gr¨obner bases imply that

(GN ∪Gσ)∩F_q[σ1, . . . , σn, S1, . . . , Sn+v] (18) is a Gr¨obner basis of (IN+Iσ)∩F_q[σ1, . . . , σv, S1, . . . , Sn+v]. Since, from The- orem 4,Gσ∩F_q[σ1, . . . , σv] ={0}, the elimination properties of Gr¨obner bases also imply thatGN is a Gr¨obner basis of (IN+Iσ)∩F_q[σ1, . . . , σv, S1, . . . , Sn+v].

2

4 The variety associated to the Newton’s identities

Theorem 5 Let F_q be the finite field with q elements. Let e be a word in Fⁿ

q, of weight w, σ^∗(Z)its locator polynomial, andS^∗ = (S₀^∗, . . . , S_n−1^∗ ) its Fourier Transform. Let us consider IN,n,v the Newton’s identities written for a given weight v 6=w. Then:

1. The circulant part of the Newton Identities, when specialized on S^∗ has a solution

ρ^∗ = (ρ^∗₁, . . . , ρ^∗_v)∈F^v_q,

if and only if the weight w of e is less than or equal to v.

2. Suppose thatw≤v and let ρ^∗ be as previously, then the polynomialρ^∗(Z) = 1 +^Pv_i=1ρ^∗_iZⁱ, is a multiple of σ^∗(Z).

3. If the characteristic of F_q is 2, and if furthermore S^∗ and ρ^∗ are solutions of the triangular part of the Newton Identities, then e has indeed coordinates in F₂, and there exists G(Z)∈F₂[Z] and an integer l ≥0 such that

ρ^∗(Z) = σ^∗(Z)G(Z)²Z^l. (19)

Proof1. Suppose there exists a solutionρ^∗ toIC,n,v(S 7→S^∗). LetCS^∗ be the circulant matrix constructed fromS^∗ as in (2). From the solution (ρ^∗₁, . . . , ρ^∗_v), it is seen that the (v+ 1)-th column ofCS^∗ can be linearly expressed in terms of thev first columns. The circulant properties of the matrix CS^∗ then imply that the (v+2)-th column can be expressed in terms of thevprevious columns, and so on. Thus the v first columns generate the column space ofCS^∗, which must have a rank less than or equal to v. From Theorem 3,w≤v.

Conversely, if the weight of e is less than v, then the elementary symmetric functions of e, σ^∗₁, . . . , σ^∗_w are solutions of the circulant part of the Newton

Identities IC,w written for the weight w, specialized on S^∗. One checks that (σ^∗₁, . . . , σ^∗_w, σ^∗_w+1 = 0. . . , σ_v^∗ = 0)

is solution of IC,n,v(S 7→S^∗).

2. Let F ⊂ F^v

q be the set of solutions ρ^∗ = (ρ^∗₁, . . . , ρ^∗_v) of IC,n,v(S 7→ S^∗) as in (7), i.e. the set of ρ^∗ such that CS^∗T[ρ^∗,0, . . . ,0] = 0. Then, since the rank of CS^∗ is w,F is an affine space of dimension v−w. Let F^′ be the space

F^′ =

(

ρ^∗ = (ρ^∗₁, . . . , ρ^∗_v)∈F^v_q |σ^∗(Z) divides ρ^∗(Z) = 1 +

v

X

i=1

ρ^∗_iZⁱ

)

. ThenF^′ is also an affine space, of dimensionv−w. Let ρ^∗ ∈F^′ and ρ^∗(Z) be constructed from ρ^∗. Since σ^∗(Z)|ρ^∗(Z), and since, from (8), S^∗(Z)σ^∗(Z) = 0 modZⁿ−1, we also have:

S^∗(Z)ρ^∗(Z) = 0 modZⁿ−1,

i.e. (ρ^∗₁, . . . , ρ^∗_v)∈F. Thus F^′ ⊂F. Since they have the same dimension, they are equal.

3. Let σ^∗(Z) be the locator polynomial of e, and ρ^∗(Z) as in the Theorem.

Then, from statement 2. of the Theorem, σ^∗(Z)|ρ^∗(Z). Let then Z₁^∗, . . . , Z_w^∗ be the locators of e, and Z_w+1^∗ . . . , Z_v^∗ the roots of ρ^∗(Z) which are not loca- tors. Since S^∗ and ρ^∗ satisfy the Newton’s Identities, they satisfy the Waring formulas

S_i^∗ =Wv,i(ρ^∗₁, . . . , ρ^∗_v), i∈ {1, . . . , n}, (20) and since theρ^∗_i’s are the elementary symmetric functions of Z₁^∗, . . . , Z_v^∗:

S_i^∗ =

v

X

j=0

Z_j^∗i, i∈ {1, . . . , n}. (21) On the other hand,S^∗ is the Fourier Transform ofe. LetY_j^∗,j ∈ {1, . . . , w}be the coefficient ofe corresponding to the locator Z_j^∗, with Y_j^∗ 6= 0. Computing the Fourier Transform in terms of theYi’s and the Zi’s leads to

S_i^∗ =

w

X

j=1

Y_j^∗Z_j^∗i, i∈ {1, . . . , n}. (22) By equality of the right-hand sides of (21) and (22), we get the matricial relation





















Z₁^∗ . . . Z_w^∗ Z_w+1^∗ . . . Z_v^∗ Z₁^∗2 . . . Z_w^∗2 Z_w+1^{∗ 2} . . . Z_v^∗2

... ...

Z₁^∗n . . . Z_w^∗n Z_w+1^{∗ n} . . . Z_v^∗n





















Y_w,v^{∗ t}= 0 (23)

where Y_w,v^∗ is the vector (Y₁^∗ + 1, . . . , Y_w^∗ + 1,1, . . . ,1). Considering the ma- trix consisting only in the first v rows of the left-hand side matrix, we get a VanderMonde matrix, whose determinant ∆^∗_v is

∆^∗_v =

v

Y

i=1

Z_i^∗

!

 Y

1≤j1<j2≤v

(Z_j^∗₂ −Z_j^∗₁)



. (24)

Now there are two alternatives. Either the vector Y_w,v^∗ is zero, or the deter- minant ∆^∗_v is zero. In the first case, we get the result: w =v, and all the Y_i^∗ satisfy Y_i^∗+ 1 = 0. In the second case, they are three possibilities:

(1) one of theZ_j^∗’s is zero, for w+ 1≤j ≤ v;

(2) Z_j^∗1 =Z_j^∗2, forw+ 1≤j1, j2 ≤v;

(3) Z_j^∗₁ =Z_j^∗₂, with 1≤j₁ ≤w and w+ 1≤j₂ ≤v.

In case (1), we can rewrite (23), and withdraw thej-th column of the matrix.

Note that we get a factorZ in the polynomial ρ^∗(Z).

In case (2), the effect of the characteristic 2 is that the terms Z_j^∗₁ and Z_j^∗₂ in the equation (23) will collapse. We can rewrite the equation (23) without the j1-th and j2-th columns. Note that the equality Z_j^∗1 = Z_j^∗2 contributes as a square factor in ρ^∗(Z).

In case (3), thej1-th andj2-th columns will sum up, and we get a relation





















Z₁^∗ . . . Z_w^∗ Z_w+1^∗ . . . Z_v^∗ Z₁^∗2 . . . Z_w^∗2 Z_w+1^{∗ 2} . . . Z_v^∗2

... ...

Z₁^∗n . . . Z_w^∗n Z_w+1^{∗ n} . . . Z_v^∗n





















Y_w,v^∗′ = 0, (25)

where thej₂-th row of the matrix in (23) has disappeared, andY_w,v^∗′ = (Y₁^∗+ 1, . . . , Y_j^∗₁+ 1 + 1, . . . , Y_w^∗+ 1,1, . . . ,1) is a vector of length v−1.

In each of the cases (1), (2) and (3), the matrix of (23) has shrunk, eliminating columns where one of the Z_j^∗ occurs, w+ 1 ≤ j ≤ v. Repeating the process, we eventually get a relation





















Z₁^∗ . . . Z_w^∗ Z₁^∗2 . . . Z_w^∗2

... ...

Z₁^∗n . . . Z_w^∗n



































Y₁^∗+ǫ1

...

Y_w^∗+ǫw















= 0, (26)

containing only theZ_j^∗, 1≤j ≤w, and whereǫi = 0 or 1, from the effect of the

characteristic 2. Now the Vandermonde matrix of (26) is non singular, since the Z_i^∗’s, 1≤i≤w are distinct. Thus the vector Y₁^∗+ǫ1, . . . , Y_w^∗+ǫw is zero, which implies Y_i^∗ = 1, i∈ {1, . . . , w}, since they are non zero. Keeping track of the square factors, and of theZ factors ofρ^∗(Z) leads to the form (20). 2

5 One-step decoding

5.1 Zero dimensional ideals

We consider the following ideal, which is the ideal generated by the Newton’s identities, augmented with the so-called “field equations”:

I_N,n,v⁰ =IN,n,v+

*S_i^2m+Si, i∈ {1, . . . , n}, σ²_i^m+σi, i∈ {1, . . . , v}

+

. (27)

The addition of these field equations ensures that the solutions of this algebraic system all lie in the field F₂m, which is the splitting field of Xⁿ−1 over F₂. Furthermore, from (Cox et al., 2005, Chapter2, Proposition 2.7), we have that I_N,n,v⁰ is a radical ideal, since it contains a univariate square-free polynomial in each indeterminate. It is also a zero-dimensional ideal, since all the solutions lie in F₂m.

From the NullStellenSatz Cox et al. (1992), we have the following Corollary of Theorem 5.

Corollary 6 Let IN,n,v ∩F₂[SQ, SN] be the elimination ideal of the σi’s in IN,n,v. If IN,n,v is radical, then IN,n,v∩F₂[SQ, SN] is the set of all the relations between the coefficients of the Fourier Transform of the binary words of weight less thanv. Furthermore, if we eliminate theSi’s,i6∈Q, thenIN,n,v∩F₂[SQ]is the set of all the relations between the syndromes of the words (in the algebraic closure) of weight less than v.

Concerning the zero-dimensional ideals, since they are radical, we get:

Corollary 7 Let I_N,n,v⁰ ∩F₂[SQ, SN] be the elimination ideal of the σi’s in I_N,n,v⁰ . ThenI_N,n,v⁰ ∩F₂[SQ, SN]is the set of all relations between the coefficients of the Fourier Transform of words of weight less than or equal to v, whose Fourier Transform lie in F₂m.

Computing a Gr¨obner basis of IN,n,w, then eliminating the σi’s, we get a cri- terion which helps to determine the weight of the error.

Corollary 8 Let S_Q^∗ be the set of syndromes of some worde of weight w. Let Tv be a Gr¨obner basis of IN,n,v∩F₂[SQ], then e has a weight w less than or equal to v if and only if

t(S_Q^∗) = 0,for all t∈Tv. (28) We can use condition 28 as a criterion to find the weight w of some error e, by successively checking the conditions

t(S_Q^∗) = 0,for all t ∈Tv

for v = 1,2, . . . until we find the first v such that condition (28) is satisfied.

5.2 Properties of the ideal

Theorem 9 For each binary word e of weight w less than t, for each i ∈ {1, . . . , w}, the ideal I_N,n,w⁰ contains a polynomial

piσi +qi,

with pi, qi ∈F₂[SQ] such that pi(S_Q,e^∗ )6= 0, where S_Q,e^∗ is the set of syndromes of e.

Proof Consider I_j⁰ the ideal I_N,n,w⁰ ∩F₂[σj, SQ]. First note that I_j⁰ is a zero- dimensional radical ideal. Let ebe an error of weight w,S_Q^∗ the set of its syn- dromes, andσ^∗_j itsj-th elementary symmetric function. Then, from Theorem 5, the varietyV(IN,n,w) is exactly{σ₁^∗, . . . , σ^∗_w}, and the varietyV(I_j⁰(SQ 7→S_Q^∗)) is {σj −σ_j^∗}. Since the ideal is radical, one has

I_j⁰(SQ 7→S_Q^∗) = ^Dσj −σ_j^∗E. (29) Now, considering the specialization mapϕS_Q^∗ : (σj, SQ)7→(σj, S_Q^∗), Theorem 2 shows that there exists a polynomialgj =gj(σj, SQ)∈I_j⁰ such thatϕS_Q^∗(I_j⁰) =

DϕS_Q^∗(gj)^E and deg_σjgj = deg_σjϕS^∗_Q(gj) = 1. Thus the degree of gj in σj is one. Also the initialpj(SQ) ofgj does not vanish under the specialization. 2 Thus the decoding algorithm is:

(1) (precomputation) For each w ∈ {1, . . . , t}, compute a Gr¨obner basis Gw

of I_N,n,w⁰ , for an ordering such that the Si, i 6∈ Q, are greater than the σi’s which in turn are greater than the Si’s, i∈Q;

(2) (precomputation) from each Gr¨obner basis Gw, collect the polynomials inGw∩F₂[SQ], call Tw this set of polynomials;

(3) (precomputation) For each w ∈ {1, . . . , t}, for each i ∈ {1, . . . , w}, find all the polynomials piσi+qi, with pi, qi ∈F₂[SQ]. This can be done using relevant orderings. Call Σwe,i this set of polynomials.

(4) (online) for each received word y, compute the syndromes S_Q,y^∗ = S_Q,e^∗ , where e is the error to be found;

(5) (online) find the weight we of e using the criterion (28).

(6) (online) for each i∈ {1, . . . , we}:

(a) find the relation piσi+qi ∈Σwe,i such thatpi(S_Q^∗_e)6= 0 (b) solve for σ_i^∗:

σ_i^∗ = pi(S_Q^∗_e) qi(S_Q^∗_e)

There are two difficulties with this approach. First, the Gr¨obner basis can contain many polynomials of the form piσi +qi, i ∈ {1, . . . , w}, as we have observed on examples. Second, the field equations of the type σ_i^2m +σi, and S_i^2m+Sican be of large degree, even though the length of the code is moderate.

For instance, in the case of the quadratic residue code of length 41, the splitting field is F₂20 = F_1048576. This means that I_N,n,w⁰ contains equations of degree more than one million, and the computation of the Gr¨obner basis is intractable.

It is natural to try to remove the field equations, and to consider the ideal IN,n,w without the field equations.

5.3 Ideals of positive dimension

The main problem with the idealIN,n,v is that it is an ideal of positive dimen- sion. Thus we can not use the Specialization Theorem 2, and we are not able to prove that there exists polynomials of the formpiσi+qiinIN,n,v∩F₂[σi, SQ], although we think they do exist in all cases. However, in practice, the offline computation of the Gr¨obner bases of the idealIN,n,vorI_N,n,v⁰ are quite imprac- tical. We were able to compute the Gr¨obner basis only for very short examples, and the yielded formulas are too large to be evaluated efficiently online. We will now consider these systems for computation of Gr¨obner bases online.

6 Online computation of the Gr¨obner bases

6.1 Decoding up to half the minimum distance

In the case decoding with online computation of Gr¨obner bases, we first spe- cialize with the syndromes, then we compute the Gr¨obner basis. We have the following Theorem, which describes the idealIN,n,v(SQ 7→S_Q^∗) .

Theorem 10 Let S_Q^∗ be the set of syndromes of an error e of weight w, such that e is the only error of weight less than or equal to v admitting S_Q^∗ as syndromes (it is always the case when v ≤t). Let I be the ideal

I =IN,n,v(SQ 7→S_Q^∗) +hσ_w+1, . . . , σvi, (30) then

I =^Dσ1 −σ₁^∗, . . . , σw−σ^∗_w, σw+1, . . . , σv, Sj−S_j^∗, j ∈N^E. (31) ProofThe proof is in two steps: we first show that the two varieties associated to the ideals of each side of (31) are equal, then that I is radical. Since the ideal in the right-hand side of (31) is radical, equality will follow.

Let thus (ρ^∗, S_N^∗) be a solution of I. Then, from Theorem 5, the weight of the Inverse Fourier Transform e^′ of (S_N^∗, S_Q^∗) is less than or equal to v. Since we assumed that e is the only error of weight less than or equal to v admitting S_Q^∗ as syndromes, we must have e^′ =e, and (S_Q^∗, S_N^∗) is the Fourier Transform ofe. Furthermore, Theorem 5 ensures that the polynomial ρ^∗(Z), constructed fromρ^∗ is a multiple of σ^∗(Z). Since the terms ρ^∗_w+1, . . . , ρ^∗_v are zero, we have ρ^∗(Z) = σ^∗(Z)Z^v−w, and we conclude that the associated varieties are equal.

Now we prove that the ideal I is radical. Using the ideal IS,n,w defining the power-sum symmetric functions, we construct the ideal

J =IN,n,v(SQ 7→S_Q^∗) +IS,n,w+hσw+1, . . . , σvi ∈F₂[Z, σ, SN], (32) which is such thatJ∩F₂[σ, SN] =I (from Theorem 4). Then J has dimension zero, and the only solution Z^∗ = (Z₁^∗, . . . , Z_w^∗) such that

(Z_w^∗, σ^∗, σ_w+1^∗ = 0, . . . , σ_v^∗ = 0, S_Q^∗)∈V(J) is the set of the roots of the locator polynomial σ^∗(Z) of e.

Let ∆wbe defined as in Equation (24) in the proof of Theorem 5. The locators of e are such that ∆w(Z₁^∗, . . . , Z_w^∗) 6= 0. Using the equations S_i+n −Si = 0, i ∈ {1, . . . , n}, and the definition of the power-sum symmetric functions, the ideal J contains the following system of equations:

w

X

j=0

(Z_jⁱ⁺ⁿ−Z_jⁱ) = 0, i∈ {1, . . . , n}, (33) which is equivalent to the following matricial expression:

M















Z₁ⁿ−1 ...

Z_wⁿ−1















=















0 ...

0















modJ, (34)